Postfix: Difference between revisions
(→DMARC) |
(→DKIM) |
||
(One intermediate revision by the same user not shown) | |||
Line 14: | Line 14: | ||
=== DKIM === |
=== DKIM === |
||
;Testing |
|||
* See also guides in DMARC below for DKIM testing / validation. |
|||
;Install |
;Install |
||
Line 36: | Line 38: | ||
We verify that it works correctly: |
We verify that it works correctly: |
||
* To check domain key validity, visit http://dkimcore.org/tools/keycheck.html. |
* To check domain key validity, visit http://dkimcore.org/tools/keycheck.html. Typically use <code>default</code> as '''selector'''. |
||
* To verify that DKIM is correctly configured, send a mail to <code>check-auth@verifier.port25.com</code>. You should see <code>DKIM check:pass</code>. |
* To verify that DKIM is correctly configured, send a mail to <code>check-auth@verifier.port25.com</code>. You should see <code>DKIM check:pass</code>. |
||
: Alternatively, send a mail to a gmail account under your control, and check in email's headers that <code>dkim=pass</code> is present in the <code>Authentication-Results</code> header field. |
: Alternatively, send a mail to a gmail account under your control, and check in email's headers that <code>dkim=pass</code> is present in the <code>Authentication-Results</code> header field. |
Latest revision as of 08:23, 16 October 2024
References
- ADDRESS_REWRITING_README — Postfix Address Rewriting
- LOCAL_RECIPIENT_README — Rejecting Unknown Local Recipients with Postfix
Installation
Server
TBC
SRS
See Configuration Noekeon.org.
DKIM
- Testing
- See also guides in DMARC below for DKIM testing / validation.
- Install
See this excellent guide on digitalocean.com.
vi /etc/opendkim.conf
vi /etc/default/opendkim
vi /etc/postfix/main.cf
umask 022
mkdir -p /etc/opendkim/keys/noekeon.org
vi /etc/opendkim/TrustedHosts
vi /etc/opendkim/KeyTable
vi /etc/opendkim/SigningTable
cd /etc/opendkim/keys/noekeon.org
opendkim-genkey -s mail -d noekeon.org
chown opendkim:opendkim mail.private
# Make sure that all other files / directory are world readable
cat mail.txt
service postfix restart
service opendkim restart
We verify that it works correctly:
- To check domain key validity, visit http://dkimcore.org/tools/keycheck.html. Typically use
default
as selector. - To verify that DKIM is correctly configured, send a mail to
check-auth@verifier.port25.com
. You should seeDKIM check:pass
.
- Alternatively, send a mail to a gmail account under your control, and check in email's headers that
dkim=pass
is present in theAuthentication-Results
header field.
- Troubleshoot - ... not internal, ... not authenticated
... It doesn't! We get dkim=neutral
.
Checking the logs, we have:
grep opendkim /var/log/mail.info
# ...
# May 6 18:21:17 ober rmilter[14579]: <323cc8a125>; msg done: queue_id: <092462225F>; message id: <>; ip: 91.134.134.85; from: <mip.opendkim@noekeon.org>; rcpt: <check-auth@verifier.port25.com> ...
# May 6 18:21:17 ober opendkim[24890]: 092462225F: prime.immie.org [91.134.134.85] not internal
# May 6 18:21:17 ober opendkim[24890]: 092462225F: not authenticated
# ...
Same issue is found in GitHub issue report. Opendkim thinks that user is not authenticated. This is because postfix does not forward macro {auth_type}
to opendkim milter. We edit /etc/postfix/main.cf:
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -159,7 +159,7 @@ smtpd_milters = inet:127.0.0.1:9900, inet:127.0.0.1:12301
non_smtpd_milters = inet:127.0.0.1:12301
milter_default_action = accept
milter_protocol = 6
-milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
Then restart the service:
service opendkim status
Now it works!
- Troubleshoot - ... rsa routines INT_RSA_VERIFY bad signature - bad signature data
We see regularly message like the one below.
May 9 16:25:08 ober postfix/smtpd[5444]: 5D37D2225F: client=vger.kernel.org[209.132.180.67]
May 9 16:25:08 ober rmilter[14579]: <1d889902a2>; mlfi_data: queue id: <5D37D2225F>
May 9 16:25:08 ober rmilter[14579]: <1d889902a2>; spamdscan: ...
May 9 16:25:08 ober rmilter[14579]: <1d889902a2>; msg done: queue_id: <5D37D2225F>; message id: <xmqqziem151v.fsf@gitster.mtv.corp.google.com>; ip: 209.132.180.67; from: <git-owner@vger.kernel.org>; rcpt: <mbulk.git.vger@noekeon.org> (1 total); user: unauthorized; spam scan: no spam; virus scan: skipped, no av servers; dkim: not signed, ignored
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: vger.kernel.org [209.132.180.67] not internal
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: not authenticated
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: s=20161025 d=gmail.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
May 9 16:25:08 ober opendkim[24890]: 5D37D2225F: bad signature data
Reading a bit this might be due to modification of the message headers [1].
One solution would be to install opendkim first, then rmilter [2].
Note however that rmilter does not see a valid signature either (...; dkim: not signed, ...
).
We edit /etc/postfix/main.cf as follow.
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -155,7 +155,7 @@ smtpd_relay_restrictions =
# rmilter setup
# smtpd_milters = unix:/var/spool/rmilter/rmilter.sock
-smtpd_milters = inet:127.0.0.1:9900, inet:127.0.0.1:12301
+smtpd_milters = inet:127.0.0.1:12301, inet:127.0.0.1:9900
non_smtpd_milters = inet:127.0.0.1:12301
DMARC
See dmarc.org. DMARC is suggested by GMail Bulk Senders Guidelines, and when messages are bounced due to DMARC policy.
Available guides:
- http://www.isyweb.com/configurer-linux/?SPF%2C+DKIM+et+DMARC
- https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
- Also covers installation of the DRMAC policy (to verify policy of incoming mails).
We can
- Publish a DMARC policy for outgoing mails. This is done by adding a DNS TXT record (see noekeon.org for instance).
- Verify DMARC policy of incoming mails. This requires to add a milter (see 2nd guide above).
- Testing
- To test DMARC policy, visit mail-tester.com and follow the instructions.
- New See also https://www.learndmarc.com/, an interactive visualization of how SPF / DKIM / DMARC is performed by mail host.
Aliases
Add static aliases in default configuration
- Edit /etc/aliases
- Then run newaliases:
newaliases
Uses regexp (dynamic) aliases
Edit file /etc/postfix/main.cf as follows [3]:
alias_maps = regexp:/etc/postfix/aliases-regexp
Then create /etc/postfix/aliases-regexp as follows:
/^tom\..*@domain.com$/ tom@other.com /^phil\..*@domain.com$/ phil@other.com
Local delivery (procmail, sieve...)
See local(8)
for documentation on local mail delivery.
Some information:
- Configuration file is /etc/postfix/mail.cf.
- One may configure several delivery methods. The precedence of delivery methods from high to low is [4]:
aliases
, .forward files,mailbox_transport_maps
,mailbox_transport
,mailbox_command_maps
,mailbox_command
,home_mailbox
,mail_spool_directory
,fallback_transport_maps
,fallback_transport
, andluser_relay
.
Procmail
Two options. Define it as user-level in ~/.forward file:
"|exec /usr/local/bin/procmail || exit 75"
Or define it at system-level in /etc/postfix/main.cf:
mailbox_command = /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
Sieve
See Sieve page.
Troubleshooting
Debugging aliases
Use postmap:
postmap -q mip@prime.immie.org hash:/etc/aliases regexp:/etc/aliases-regexp
postmap -q mip hash:/etc/aliases regexp:/etc/aliases-regexp
Handling deferred mail / message queue
Reference:
- View the queue
mailq # ... or ...
postqueue -p
- View a message
postcat -vq XXXXXXXXXX # Replace XXXXXXXXXX with message ID
- Process the queue now
postqueue -f # ... or ...
postfix flush
- Delete the queue
postsuper -d ALL
postsuper -d ALL deferred # Delete only deferred messages